Responsible disclosure

AndSafety is committed to the privacy, safety and security of our customers.

AndSafety aims to keep its service safe for everyone, and data security is of the utmost priority. If you are a security researcher and have discovered a security vulnerability in our product, website, or service, we appreciate your help in disclosing it to us in a responsible manner.

If you are a current customer

If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.

If you are a security researcher or have discovered a vulnerability

If you think you’ve found a security vulnerability in AndSafety website or service, contact us immediately via the responsible-disclosure@andsafety.com.

What should you consider when using Responsible Disclosure
If you’re doing a report of a vulnerability in an ICT system, remember the following:

  • Provide sufficient information to reproduce the problem. In that case AndSafety can solve the problem as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability sufficient. In more complicated situations more information can be necessary.
  • Provide contact information (email address or telephone number) so AndSafety can contact you.
  • Report as soon as possible after discovery of the vulnerability.
  • Don’t  share the information about the security problem with others until it is solved.
  • Be responsible with the knowledge of the security issue. Refrain from actions that go beyond what is necessary to demonstrate the vulnerability.

Do you meet you these conditions? Then AndSafety undertakes no legal actions to this report.

Do not abuse a vulnerability in an ICT system
If you discover a vulnerability, do’t abuse it. For example by:

  • copying data in a system, change or delete (an alternative is to create a directory listing of a system);
  • changes to be made to the system;
  • repeatedly gain access to the system or to share access with others;
  • to make use of the so-called ‘brute force attack’ of access to systems;
  • utilizing denial-of-service attack or social engineering.

What does AndSafety do with Responsible Disclosure?
Have you done a report of a vulnerability in an IT system? AndSafety treats this message as follows:

  • AndSafety strives to respond within 3 working days on your report. This reaction may contain an assessment of the report and an expected date for a solution.
  • AndSafety keep you as reporter informed of the progress of solving the problem.
  • AndSafety solves the security problem as soon as possible but no later than within 60 days. AndSafety will decide with you whether and how the reported problem is made public. Publication takes place after the issue is resolved.
  • AndSafety can, if you wish, include your name on the Hall of Fame list as the discoverer of the reported vulnerability.
  • AndSafety could offer you a reward as thanks for the help.

AndSafety treats your report confidentially. AndSafety shares no personal information without your consent to third parties. Except as required by law or required by a court order.

Hall of Fame

See our Hall of Fame